ba2bcdb7f7a07905a9be4c223eba6477ef2de779d47859a95299c844c66625f2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
Size

2.7MB
MD5

bcfe017487a3154741fbc7a0ec51ed90
SHA1

aaf0251dd2834c2f35e87471b48d2a5722afd215
SHA256

ba2bcdb7f7a07905a9be4c223eba6477ef2de779d47859a95299c844c66625f2
SHA512

ffee900f4c741221ae6cef5a8672fc20bf63e2599db2eaf82db25dfdc58b6f9a135c668da2e952b1e9df926b48f6328c97f897c55b5f343d90c8fd07d161cd7c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBw9w4Sx:+R0pI/IQlUoMPdmpSpi4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4352	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotT1\\xbodloc.exe"	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT7\\optialoc.exe"	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
4352	xbodloc.exe
4352	xbodloc.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 4352	876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe	89
PID 876 wrote to memory of 4352	876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe	89
PID 876 wrote to memory of 4352	876	bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bcfe017487a3154741fbc7a0ec51ed90_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876
- C:\UserDotT1\xbodloc.exe
  C:\UserDotT1\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxT7\optialoc.exe

Filesize
2.7MB

MD5
19d08c30e2ceb5308722bd60bf121523

SHA1
0143b6465eece8b58287fbff7c71ece1919c6465

SHA256
ef47b332ab42da0fea4c627752a8c2f92cca0d2808fec9835fa1d24a48fc23b9

SHA512
6beb32902668c1be7469f6a77b0d6bd1ba778293e582c5f8d8b51ddd23607a19431aede6e886d58758e6a11ff1ea431f67bfd37463cdef96a06acf647a1d2c0d

Download Submit
C:\UserDotT1\xbodloc.exe

Filesize
2.7MB

MD5
5718b04058c25256519689326fe4ff40

SHA1
4439a14a241cfb4914ccc9e90f8d8cc87fe0e5a8

SHA256
2bc71e7f2c13d0374cff21c069e7df26241c6fd6efce40adeb4f2b81ae5215b6

SHA512
4f14a23d584e31a3653735a04135b85f58de02ac643e607044c7be607d21334871da6dae519934cc344488b4a83315b274c73ac34d95dc678b7cbb23022c1518

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
449047f4b6120566869e47cd9e955972

SHA1
c683022816bc82cde1db4520cbf58a98fde0380c

SHA256
6cae1b8a9dda71ed50145b03572c4421cada50fd8e4eaf7598d8bb9f3f47ab69

SHA512
83ab1a09b6f7f938293caef59f8ce2b9014da52868a85cc7518b2d8b1d53698ff1a37ef978af22518d55c5f148c02dbfabd7e8b1c6282be1e32bfe208ab1dfb0

Download Submit